The attackers who compromised SolarWinds, nine federal agencies, and at least 100 private companies including Microsoft not only searched through some of Microsoft’s source code repositories, but also downloaded small pieces of the source code for Azure identity and security functions, Exchange, and the Intune cloud-based mobile management and security service.
The Microsoft Security Response Center (MSRC), which handled the internal investigation into the intrusion, said Thursday that while the attackers did download some source code components, the investigators found no evidence that the attackers used the company’s own systems to attack other targets. The new details were part of Microsoft’s final report on the intrusion, which it first disclosed late last year around the time of the initial SolarWinds breach disclosure. The MSRC said the first detection of the attackers viewing Microsoft source code was in November, and although the company immediately secured the compromised accounts, the attackers continued to try to get back in to those accounts until early January.
“There was no case where all repositories related to any single product or service was accessed. There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search,” the MSRC said in a post on its findings.
Microsoft had confirmed the source code access by the attackers previously, but it had not revealed which repositories were affected or that some components were downloaded. In some of the intrusions that followed the SolarWinds compromise and the creation of the malicious update, the attackers used forged SAML tokens in order to access victims’ email accounts. The MSRC said that technique was not used in the attack on Microsoft’s systems, but the attackers were looking for specific things in the source code repositories.
“The scale of potential access far exceeded the number of known compromises."
“The search terms used by the actor indicate the expected focus on attempting to find secrets. Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials,” the MSRC said.
On Wednesday, White House officials said the Biden administration is working on several steps to respond to the SolarWinds compromise, which federal officials have attributed to Russia. Although only a handful of victim organizations have been identified publicly, the true number could far higher, given that SolarWinds officials said about 18,000 of its customers downloaded the malicious update for its Orion platform.
“The scale of potential access far exceeded the number of known compromises,” Anne Neuberger, the deputy national security adviser for cyber and emerging technology said during a press briefing Wednesday. “Many of the private sector compromises are technology companies, including networks of companies whose products could be used to launch additional intrusions."